Re: iptables advice

To: max@fuckaround.org
Cc: debian-user@lists.debian.org
Subject: Re: iptables advice
From: Dan Ritter <dsr@randomstring.org>
Date: Fri, 28 Oct 2016 11:53:35 -0400
Message-id: <[🔎] 20161028155335.GY20151@newtao.randomstring.org>
In-reply-to: <[🔎] ddc9a058-84e5-d442-9be3-cb9aa638e52a@fuckaround.org>
References: <[🔎] ddc9a058-84e5-d442-9be3-cb9aa638e52a@fuckaround.org>

On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote:
> Hello all :-)
> 
> I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules:
> 
> iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j
> ACCEPT
> 
> and same rules for 192.168.2/24: this allow each lan see other lan.
> 
> Can I deny only lan2 (192.168.2/24) to see lan1 (192.168.1/24) but allow
> lan1 see lan2?

It depends on what you mean by "see".

Do you mean 192.168.1/24 should be able to start connections to
192.168.2/24 and receive replies, but not the reverse?

If so, you want:

# .1 can send anything anywhere
-A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT
# .2 can send back answers to .1
-A FORWARD -s 192.168.2/24 -d 192.168.1/24 \
             -m state --state ESTABLISHED,RELATED -j ACCEPT
# .2 is not allowed to establish new sessions to .1
-A FORWARD -s 192.168.2.24 -d 192.168.1/24 \
             -m state --state NEW -j DROP
# .1 can receive anything else
-A FORWARD -d 192.168.1/24 -d 0/0 -j ACCEPT

-dsr-

Reply to:

References:
- iptables advice
  - From: Pol Hallen <deben@fuckaround.org>

Prev by Date: Re: Permissions for an entire PARTITION
Next by Date: Re: dependencies problem to install lightworks on jessie
Previous by thread: iptables advice
Next by thread: Re: iptables advice
Index(es):
- Date
- Thread